Recently I came across a great GitHub page entitled Big-Data-Broker-Opt-Out-List which contains a list of companies that collect your personal data, likely without your knowledge, and how to opt-out of said services.
These services in some cases scrape public records from state government services, may track you through the applications you use on your phone or the sites you visit, potentially scrape social media services such as LinkedIn, or really even all of the above to build a better profile around you.
The Wall Street Journal recently released an article entitled Federal Agencies Use Cellphone Location Data for Immigration Enforcement which includes a passage:
U.S. Immigration and Customs Enforcement, a division of DHS, has used the data to help identify immigrants who were later arrested, these people said. U.S. Customs and Border Protection, another agency under DHS, uses the information to look for cellphone activity in unusual places, such as remote stretches of desert that straddle the Mexican border, the people said.
There is no way to buy just criminal data, and the thought of DHS tracking American citizen's location without a warrant is gross and ripe for abuse.
While doing recon on a target, adversaries will often times use some of these exact services to collect data on employees of their target organization. There was a great Episode (thought I don't recall which) of the Darknet Diaries Podcast where the red team did exactly this and found an employee of a victim organization was really into supporting a specific charity, and used this against the organization in a target vishing/phishing attack and were met with great success.
More elegantly put via Mitre ATT&CK ID T1589:
Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1][2][3][4][5][6][7][8] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).
By opting out you can make it much harder and really make them work a little extra to gather information on you.
Note: This of course will not stop cyber criminals, stalkers, or the Government from tracking you. This will only minimize what's publicly out there to make it that much more difficult. If you have reason to believe you are actively being targeted, or may be in the future - consider contacting law enforcement or working with a professional organization such as the EFF.
If you are like me and think that it is absurd that these companies can collect this information and that in some cases they charge you to remove it, than consider contacting your State Representatives and ask them to pass much needed privacy legisation.
Alternatively | additionally - consider donating to the EFF as they do a lot of great advocacy in this space.
Signalblur Cyber Threat Intelligence is a cybersecurity company that delivers exceptional services and empowers organizations with accessible, cutting-edge solutions. Our founder brings years of experience from a Fortune 50 company and building Cyber Security Operations Centers.
For any inquiries, please email us at contact@signalblur.io
